Sync release-aks-ee-feb with main

Sync release-aks-ee-feb with main

Author: sethmanheim

.openpublishing.redirection.azure-local.json

@@ -1909,6 +1909,11 @@
       "source_path": "azure-local/security-update/security-update-jan-2025.md", 
       "redirect_url": "/azure/azure-local/security-update/security-update", 
       "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/manage/trusted-launch-vm-deploy.md", 
+      "redirect_url": "/azure/azure-local/manage/trusted-launch-vm-overview", 
+      "redirect_document_id": false
     }
   ]
-}
+}

azure-local/TOC.yml

@@ -275,11 +275,11 @@ items:
 
   - name: Trusted launch for Arc VMs
     items: 
-      - name: What is Trusted Launch for Arc VMs?
+      - name: What is Trusted launch for Arc VMs?
         href: manage/trusted-launch-vm-overview.md
-      - name: Deploy Trusted Launch for Arc VMs
-        href: manage/trusted-launch-vm-deploy.md
-      - name: Manage guest state protection key
+      - name: Automatic virtual TPM state transfer
+        href: manage/trusted-launch-automatic-state-transfer.md
+      - name: Manual backup and recovery
         href: manage/trusted-launch-vm-import-key.md
 
   - name: Non Arc VMs

azure-local/concepts/security-features.md

@@ -5,7 +5,7 @@ author: alkohli
 ms.author: alkohli
 ms.topic: conceptual
 ms.service: azure-local
-ms.date: 02/14/2025
+ms.date: 02/26/2025
 ---
 
 # Security features for Azure Local
@@ -158,10 +158,22 @@ For more information, see [Manage syslog forwarding](../manage/manage-syslog-for
 
 Azure Local comes with Microsoft Defender Antivirus enabled and configured by default. We strongly recommend that you use Microsoft Defender Antivirus with your Azure Local instances. Microsoft Defender Antivirus provides real-time protection, cloud-delivered protection, and automatic sample submission.
 
-Although we recommend using Microsoft Defender Antivirus for Azure Local, if you prefer third-party antivirus and security software, we advise selecting one that your Independent Software Vendor (ISV) has validated for Azure Local to minimize potential functionality issues.
+Although we recommend using Microsoft Defender Antivirus for Azure Local, if you prefer third-party antivirus and security software, **we advise selecting one that your Independent Software Vendor (ISV) has validated for Azure Local** to minimize potential functionality issues.
 
 For more information, see [Microsoft Defender Antivirus compatibility with other security products](/defender-endpoint/microsoft-defender-antivirus-compatibility).
 
+In the rare instance that you experience any functionality issues with Azure Local using a third-party antivirus software, you can exclude the following paths:
+
+- C:\Agents\\*
+- C:\CloudContent\\*
+- C:\CloudDeployment\\*
+- C:\ClusterStorage\\*
+- C:\EceStore\\*
+- C:\MASLogs\\*
+- C:\NugetStore\\*
+- C:\deploymentpackage\\*
+- C:\ProgramData\GuestConfig\extension_logs\\*
+
 > [!NOTE]
 > If you remove the Microsoft Defender Antivirus feature, leave the settings associated with the feature from the security baseline as-is. You don't need to remove these settings.
 

azure-local/deploy/single-server.md

@@ -6,7 +6,7 @@ ms.author: robess
 ms.topic: how-to
 ms.reviewer: kimlam
 ms.lastreviewed: 01/17/2023
-ms.date: 01/31/2024
+ms.date: 02/27/2025
 ---
 
 # Deploy Azure Stack HCI on a single server
@@ -23,9 +23,9 @@ Currently you can't use Windows Admin Center to deploy Azure Stack HCI on a sing
 
 ## Prerequisites
 
-- A server from the [Azure Stack HCI Catalog](https://hcicatalog.azurewebsites.net/#/catalog) that's certified for use as a single-node cluster and configured with all NVMe or all SSD drives.
+- A server from the [Azure Stack HCI Catalog](https://hcicatalog.azurewebsites.net/#/catalog) certified for use as a single-node cluster and configured with all NVMe or all SSD drives.
 - For network, hardware and other requirements, see [Azure Stack HCI network and domain requirements](../deploy/operating-system.md#determine-hardware-and-network-requirements).
-- Optionally, [install Windows Admin Center](/windows-server/manage/windows-admin-center/deploy/install) to register and manage the server once it has been deployed.
+- Optionally, [install Windows Admin Center](/windows-server/manage/windows-admin-center/deploy/install) to register and manage the server after it's deployed.
 
 ## Deploy on a single server
 
@@ -38,8 +38,10 @@ Here are the steps to install the Azure Stack HCI OS on a single server, create
     ```
 
 1. Install the Azure Stack HCI OS on your server. For more information, see [Deploy the Azure Stack HCI OS](../deploy/operating-system.md#manual-deployment) onto your server.
+
 1. Configure the server utilizing the [Server Configuration Tool](/windows-server/administration/server-core/server-core-sconfig) (SConfig).
-1. Install the required roles and features using the following command, then reboot before continuing.
+
+1. Install the required roles and features using the following command, then reboot before you continue.
 
    ```powershell
    Install-WindowsFeature -Name "BitLocker", "Data-Center-Bridging", "Failover-Clustering", "FS-FileServer", "FS-Data-Deduplication", "Hyper-V", "Hyper-V-PowerShell", "RSAT-AD-Powershell", "RSAT-Clustering-PowerShell", "NetworkATC", "Storage-Replica", -IncludeAllSubFeature -IncludeManagementTools
@@ -60,10 +62,11 @@ Here are the steps to install the Azure Stack HCI OS on a single server, create
    ```
 
    > [!NOTE]
-   > - The cluster name should not exceed 15 characters.
-   > - The `New-Cluster` command will also require the `StaticAddress` parameter if the node is not using DHCP for its IP address assignment.  This parameter should be supplied with a new, available IP address on the node's subnet.
+   > - The cluster name shouldn't exceed 15 characters.
+   > - The `New-Cluster` command requires the `StaticAddress` parameter if the node isn't using DHCP for its IP address assignment. This parameter should be supplied with a new, available IP address on the node's subnet.
 
 1. Use [PowerShell](../deploy/register-with-azure.md?tab=power-shell#register-a-cluster) or [Windows Admin Center](../deploy/register-with-azure.md?tab=windows-admin-center#register-a-cluster) to register the cluster.
+
 1. [Create volumes](/windows-server/storage/storage-spaces/create-volumes).
 
 ## Updating single-node clusters
@@ -76,16 +79,20 @@ For solution updates (such as driver and firmware updates), see your solution ve
 
 ## Change a single-node to a multi-node cluster (optional)
 
-You can add servers to your single-node cluster, also known as scaling out, though there are some manual steps you must take to properly configure Storage Spaces Direct fault domains (`FaultDomainAwarenessDefault`) in the process. These steps aren't present when adding servers to clusters with two or more servers.
+You can add servers to your single-node cluster, also known as scaling out, though there are some manual steps you must take to properly configure Storage Spaces Direct fault domains (`FaultDomainAwarenessDefault`) in the process. These steps aren't present when you add servers to clusters with two or more servers.
 
 1. Validate the cluster by specifying the existing server and the new server: [Validate an Azure Stack HCI cluster - Azure Stack HCI | Microsoft Docs](../deploy/validate.md).
+
 2. If cluster validation was successful, add the new server to the cluster: [Add or remove servers for an Azure Stack HCI cluster - Azure Stack HCI | Microsoft Docs](../manage/add-cluster.md).
+
 3. Once the server is added, change the cluster's fault domain awareness from PhysicalDisk to ScaleScaleUnit: [Inline fault domain changes](../manage/single-node-scale-out.md#inline-fault-domain-changes).
+
 4. Optionally, if more resiliency is needed, adjust the volume resiliency type from a 2-way mirror to a Nested 2-way mirror: [Single-server to two-node cluster](../manage/single-node-scale-out.md#single-server-to-two-node-cluster).
+
 5. [Set up a cluster witness](../manage/witness.md).
 
 ## Next steps
 
-- [Deploy workload – AVD](../deploy/virtual-desktop-infrastructure.md)
-- [Deploy workload – AKS-HCI](/azure-stack/aks-hci/overview)
-- [Deploy workload – Azure Arc-enabled data services](/azure/azure-arc/data/overview)
+- [Deploy workload – AVD](../deploy/virtual-desktop-infrastructure.md).
+- [Deploy workload – AKS-HCI](/azure-stack/aks-hci/overview).
+- [Deploy workload – Azure Arc-enabled data services](/azure/azure-arc/data/overview).

azure-local/manage/create-arc-virtual-machines.md

@@ -136,7 +136,33 @@ Here we create a VM that uses specific memory and processor counts on a specifie
     | **storage-path-id** |The associated storage path where the VM configuration and the data are saved.  |
     | **proxy-configuration** |Use this optional parameter to configure a proxy server for your VM. For more information, see [Create a VM with proxy configured](#create-a-vm-with-proxy-configured).  |
 
-1. Run the following command to create a VM.
+1. Run the following commands to create the applicable VM.
+
+    **To create a Trusted launch Arc VM:**
+
+    1. Specify additional flags to enable secure boot, enable virtual TPM, and choose security type. Note, when you specify security type as Trusted launch, you must enable secure boot and vTPM, otherwise Trusted launch VM creation will fail.
+
+        ```azurecli
+        az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId --enable-secure-boot true --enable-vtpm true --security-type "TrustedLaunch"
+        ```
+
+    1. Once the VM is created, to verify the security type of the VM is `Trusted launch`, do the following.
+
+    1. Run the following cmdlet (on one of the cluster nodes) to find the owner node of the VM:
+
+        ```azurecli
+        Get-ClusterGroup $vmName
+        ```
+
+    1. Run the following cmdlet on the owner node of the VM:
+
+        ```azurecli
+        (Get-VM $vmName).GuestStateIsolationType
+        ```
+
+    1. Ensure a value of `TrustedLaunch` is returned.
+
+    **To create a standard Arc VM:**
 
    ```azurecli
     az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId 
@@ -247,7 +273,7 @@ Follow these steps in Azure portal for your Azure Local.
 
         **The Virtual machine kind** is automatically set to **Azure Local**.
 
-    1. **Security type** - For the security of your VM, select **Standard** or **Trusted Launch virtual machines**. For more information on what are Trusted Launch Arc virtual machines, see [What is Trusted Launch for Azure Arc Virtual Machines?](./trusted-launch-vm-overview.md).
+    1. **Security type** - For the security of your VM, select **Standard** or **Trusted launch virtual machines**. For more information on what are Trusted launch Arc virtual machines, see [What is Trusted launch for Azure Arc Virtual Machines?](./trusted-launch-vm-overview.md).
 
    1. **Storage path** - Select the storage path for your VM image. Select **Choose automatically** to have a storage path with high availability automatically selected. Select **Choose manually** to specify a storage path to store VM images and configuration files on your Azure Local. In this case, ensure that the selected storage path has sufficient storage space.
 

azure-local/manage/media/trusted-launch-vm-deploy/create-arc-vm-1.png

@@ -0,0 +1,85 @@
+---
+title: Automatic virtual TPM state transfer for Azure Local
+description: Learn how automatic virtual TPM state transfer works for Azure Local.
+ms.topic: how-to
+author: alkohli
+ms.author: alkohli
+ms.service: azure-local
+ms.date: 02/27/2025
+---
+
+# Automatic transfer of virtual TPM state for Trusted launch VMs on Azure Local
+
+[!INCLUDE [applies-to](../includes/hci-applies-to-23h2.md)]
+
+This article uses an example to illustrate the automatic transfer of virtual TPM (vTPM) state in the case of Trusted launch Arc VMs on Azure Local, even as the VM migrates or fails over to another machine in the system. This operation allows the applications that use the vTPM to function normally during VM migration or fail over.
+
+
+## Example
+
+This example shows a Trusted launch Arc VM running Windows 11 guest with BitLocker encryption enabled. Here are the steps to run this example:
+
+1. Create a Trusted launch Arc VM running a supported Windows 11 guest operating system (OS).
+
+1. Enable BitLocker encryption for the OS volume on the Win 11 guest. Sign on to the Windows 11 guest and enable BitLocker encryption for the OS volume:
+
+    1. In the search box on the task bar, type "Manage BitLocker," and then select it from the list of results.
+
+    1. Select **Turn on BitLocker** and then follow the instructions to encrypt the OS volume (C:). BitLocker uses vTPM as a key protector for the OS volume.
+
+1. Confirm the owner node of the VM.
+
+    ```powershell
+    Get-ClusterGroup <VM name>
+    ```
+
+1. Migrate the VM to another machine in the system. Run the following PowerShell command from the machine that the VM is on.
+
+    ```powershell
+    Move-ClusterVirtualMachineRole -Name <VM name> -Node <destination node> -MigrationType Shutdown
+    ```
+
+1. Confirm that the owner node of the VM is the specified destination node.
+
+    ```powershell
+    Get-ClusterGroup <VM name>
+    ```
+
+1. After VM migration completes, verify if the VM is available and BitLocker is enabled.
+
+1. Verify that you can sign on to the Windows 11 guest in the VM, and if BitLocker encryption for the OS volume remains enabled. If true, this confirms that the vTPM state was preserved during VM migration.
+
+    > [!NOTE]
+    > If vTPM state wasn't preserved during VM migration, VM startup would result in BitLocker recovery during guest boot up. You would be prompted for the BitLocker recovery password when you attempted to sign on to the Windows 11 guest. This situation occurs because the boot measurement (stored in the vTPM) of the migrated VM on the destination node is different from that of the original VM.
+
+1. Force the VM to fail over to another machine in the system.
+
+    1. Confirm the owner node of the VM using the following command.
+
+        ```powershell
+        Get-ClusterGroup <VM name>
+        ```
+
+    1. Use Failover Cluster Manager to stop the cluster service on the owner node as follows: Select the owner node as displayed in Failover Cluster Manager.  On the **Actions** right pane, select **More Actions** and then select **Stop Cluster Service**.
+
+    1. Stopping the cluster service on the owner node causes the VM to be automatically migrated to another available machine in the system. Restart the cluster service afterwards.
+
+1. After failover completes, verify if the VM is available and BitLocker is enabled after failover.
+
+1. Confirm that the owner node of the VM is the specified destination node.
+
+    ```powershell
+    Get-ClusterGroup <VM name>
+    ```
+
+1. After VM failover completes, verify if the VM is available and BitLocker is enabled.
+
+1. Verify that you can sign on to the Windows 11 guest in the VM, and if BitLocker encryption for the OS volume remains enabled. If true, the vTPM state was preserved during VM failover.
+
+    > [!NOTE]
+    > If vTPM state wasn't preserved during VM migration, VM startup would result in BitLocker recovery during guest boot up. You would be prompted for the BitLocker recovery password when you attempted to sign on to the Windows 11 guest. This situation occurs because the boot measurement (stored in the vTPM) of the migrated VM on the destination node is different from that of the original VM.
+
+
+## Next steps
+
+- [Manage Trusted launch Arc VM guest state protection key](trusted-launch-vm-import-key.md).